New research has shown that your Visa card (credit or debit) can be cracked frighteningly easily in around six seconds flat via a method which simply involves guessing the correct details, and exploits two main weaknesses in the card’s payment security system.
Security experts at Newcastle University in the UK found the flaws in the Visa system, obtaining details using a ‘distributed guessing attack’ which could, they theorise, have been used in the major Tesco Bank fraud which happened a month ago and affected some 40,000 customers.
So how does this work? Basically, the first of the two aforementioned major weaknesses is the fact that the online payment system for Visa doesn’t detect spammed payment attempts across multiple sites, meaning attackers can use their 10 to 20 guesses on each site across a huge number of websites to effectively allow for ‘unlimited’ guesses at card data fields.
When combined with the second weakness – namely that different sites ask for different variations in card data fields during the purchase process – this means the attacker can build up information on the card, putting it together like a jigsaw.
As Mohammed Ali, lead author on the paper and PhD student at Newcastle University, notes: “The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time.”
Every card field cracked can then be used to obtain the next piece of the puzzle. While attackers may typically start off with the card number anyway (obtained from a data breach, most commonly), and use this method to crack the other details including the CVV (verification code on the back), they don’t even need the full number.
Ali notes: “Even starting with no details at all other than the first six digits – which tell you the bank and card type and so are the same for every card from a single provider – a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds.”
A worrying prospect indeed, and some pieces of card data are almost trivially easy to guess – the expiry date only takes around 60 attempts, for example, and even the CVV security code (a three digit number) takes less than a thousand attempts, which can be easily spread across a thousand websites and a result will come back verified within a couple of seconds.
MasterCard not vulnerable
The main problem, then, is simply this allowing of effectively unlimited guesses at card details as long as they’re spread across a load of different sites. That’s where the Visa network falls down, because it doesn’t pick up on multiple failed attempts like so – whereas MasterCard, on the other hand, picked up on these scattered guesses in under 10 attempts at different sites.
Clearly, there’s a problem that needs to be addressed here, although Visa told the Guardian that it had multiple layers of fraud prevention, and measures such as ‘Verified by Visa’ thwart attempts at fraud. Which is fine if the online retailer uses this, but unfortunately the majority don’t.
The researchers used software tools, a bot and automated scripts, along with their own Visa cards, to carry out test runs in cracking the cards using nearly 400 of the biggest online retailers. Only 12% of those sites employed Verified by Visa and therefore proved resistant to being exploited.
Visa told the Guardian: “We provide issuers with the necessary data to make informed decisions on the risk of transactions. There are also steps that merchants and issuers can take to thwart brute force attempts.” In other words, Verified by Visa, and a spokesman for the company noted that where retailers fail to use this scheme for ‘card not present’ transactions, they are assuming the risk for fraud.
Dr Martin Emms, co-author on the paper, observed that everyone should check their card statements regularly for any suspicious activity, and stated: “We can all take simple steps to minimise the impact if we do find ourselves the victim of a hack. For example, use just one card for online payments and keep the spending limit on that account as low as possible. If it’s a bank card then keep ready funds to a minimum and transfer over money as you need it.”